jvm ecosystem report 2018 - res.cloudinary.com · virtual jug, and to subscribers of java magazine,...

49
JVM Ecosystem Report 2018 A snapshot of the JVM landscape

Upload: hoangtruc

Post on 23-Dec-2018

224 views

Category:

Documents


0 download

TRANSCRIPT

JVM Ecosystem Report 2018A snapshot of the JVM landscape

01

Table of contents

02 About your tools06 Which IDE do you develop with

07 Which build tool do you use for your main project

08 Which Static quality tools do you use

09 Do you use static security tools in your testing

10 Which CI Server do you use

11 Which Source Code Management platform does your team use for your main project

12 Which code repository do you use for your main project

13 Which private binaryartifact repository do you use

14 Which testing technologies do you use

About your JDK01 Which Java vendorrsquos JDK do you use in production for your

main applications

02 Which Java SE version do you use in production for your main application

03 How do you plan to respond to Javarsquos new release cycle

04 What Java EE version do you use for your main application

05 What is the main JVM language you use for your main application

03 About your platform15 Which cloud platforms do you use

16 Which cloud approaches do you use

17 Which continuous deployment or release automation tools do you use

04 About your application18 Which other (non-JVM) languages does your application use

19 Which Web Frameworks do you use

20 Which ORM frameworks do you use

21 Which database do you use in production

22 Which application server do you use in production for your main application

23 Do you develop on the same application server you use in production

24 How many open source (direct) dependencies does your main application have

05

Table of contents

06 About you27 Where do you do your development work

28 How would you describe yourself

29 How do you rank your security expertise

30 How old are you

31 How many years of paid professional experience with Java do you have

32 What is the size of your company

33 Where do you principally get information about Java online

34 Are you a member of a Java User Group (JUG)

35 How much do you contribute to open source

About your processes25 How often do you release new versions of your code

26 How often do you audit your code

4All rights reserved 2018 copy Snyk amp Java Magazine

Welcome to the largest survey ever of Java developers

The data presented in the following report was taken

from more than 10200 questionnaires If you were one

of those survey-takers many thanks to you for putting

aside the time to share your experience for the benefit of

others

The survey was conducted by publishing its availability to

the Java community at large (via social media primarily)

to Java User Groups around the world including the

Virtual JUG and to subscribers of Java Magazine the

Java bimonthly publication from Oracle Corp As an

inducement to complete the survey a contribution to

Devoxx4Kids was promised by the sponsors of the survey

Snyk and Oracle

Devoxx4Kids organizes events worldwide where children

can develop computer games program robots and also

have an introduction to electronics

Their goal is to introduce teenagers to programming

robotics and engineering in a fun way to show teenagers

that it is possible to do something more creative with

computers

Information regarding respondents including

geographical location company size of their employer (if

any) age and experience with Java are presented at the

end of this survey

We appreciate constructive feedback and comments

especially regarding our analysis If you would like to be

contacted to participate in any future installments of this

survey please let us know We hope you enjoy reading

this report and can glean some useful insights from its

findings

Simon MapleDirector of Developer Advocacy Snyk

simonsnykiosjmaple

Andrew BinstockEditor in Chief Java Magazine Oracle

javamag_usoraclecomplatypusguy

Introduction

5All rights reserved 2018 copy Snyk amp Java Magazine

TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights

7 in 10 developers use the Oracle JDK in production

6 in 10 developers use Maven to build their main project

Almost 6 in 10 developers use Jenkins in CI

Almost 3 in 4 developers use Git as their SCM

Almost 8 in 10 developers use JUnit

4 in 10 developers use Spring Boot

Over 1 in 2 developers use Hibernate in their applications

4 in 10 developers use use Tomcat in production

19 in 20 developers use open source dependencies in their application

2 in 10 developers use OpenJDK in production

8 in 10 developers use Java SE version 8 in production

9 in 20 developers now use IntelliJ IDEA

8

Jenkins JUnit

01About your JDK

All rights reserved 2018 copy Snyk amp Java Magazine 7

01 Which Java vendorrsquos JDK do you use in production for your main applications

We start the report with a core question

With so many vendors providing their own

JDK implementations which offerings are

developers using in production for their

applications

We can see the dominance that Oracle JDK

and OpenJDK have over everyone else With 7

in 10 developers opting to use the Oracle JDK

and a further 2 in 10 opting for the OpenJDK

there isnrsquot much competition However

future licensing and support changes might

cause these numbers to change in the future

None

Other

Azul

Android SDK

Eclipse OpenJ9IBM J9

OpenJDK

Oracle JDK

70

21

42 1

1 1

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

01

Table of contents

02 About your tools06 Which IDE do you develop with

07 Which build tool do you use for your main project

08 Which Static quality tools do you use

09 Do you use static security tools in your testing

10 Which CI Server do you use

11 Which Source Code Management platform does your team use for your main project

12 Which code repository do you use for your main project

13 Which private binaryartifact repository do you use

14 Which testing technologies do you use

About your JDK01 Which Java vendorrsquos JDK do you use in production for your

main applications

02 Which Java SE version do you use in production for your main application

03 How do you plan to respond to Javarsquos new release cycle

04 What Java EE version do you use for your main application

05 What is the main JVM language you use for your main application

03 About your platform15 Which cloud platforms do you use

16 Which cloud approaches do you use

17 Which continuous deployment or release automation tools do you use

04 About your application18 Which other (non-JVM) languages does your application use

19 Which Web Frameworks do you use

20 Which ORM frameworks do you use

21 Which database do you use in production

22 Which application server do you use in production for your main application

23 Do you develop on the same application server you use in production

24 How many open source (direct) dependencies does your main application have

05

Table of contents

06 About you27 Where do you do your development work

28 How would you describe yourself

29 How do you rank your security expertise

30 How old are you

31 How many years of paid professional experience with Java do you have

32 What is the size of your company

33 Where do you principally get information about Java online

34 Are you a member of a Java User Group (JUG)

35 How much do you contribute to open source

About your processes25 How often do you release new versions of your code

26 How often do you audit your code

4All rights reserved 2018 copy Snyk amp Java Magazine

Welcome to the largest survey ever of Java developers

The data presented in the following report was taken

from more than 10200 questionnaires If you were one

of those survey-takers many thanks to you for putting

aside the time to share your experience for the benefit of

others

The survey was conducted by publishing its availability to

the Java community at large (via social media primarily)

to Java User Groups around the world including the

Virtual JUG and to subscribers of Java Magazine the

Java bimonthly publication from Oracle Corp As an

inducement to complete the survey a contribution to

Devoxx4Kids was promised by the sponsors of the survey

Snyk and Oracle

Devoxx4Kids organizes events worldwide where children

can develop computer games program robots and also

have an introduction to electronics

Their goal is to introduce teenagers to programming

robotics and engineering in a fun way to show teenagers

that it is possible to do something more creative with

computers

Information regarding respondents including

geographical location company size of their employer (if

any) age and experience with Java are presented at the

end of this survey

We appreciate constructive feedback and comments

especially regarding our analysis If you would like to be

contacted to participate in any future installments of this

survey please let us know We hope you enjoy reading

this report and can glean some useful insights from its

findings

Simon MapleDirector of Developer Advocacy Snyk

simonsnykiosjmaple

Andrew BinstockEditor in Chief Java Magazine Oracle

javamag_usoraclecomplatypusguy

Introduction

5All rights reserved 2018 copy Snyk amp Java Magazine

TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights

7 in 10 developers use the Oracle JDK in production

6 in 10 developers use Maven to build their main project

Almost 6 in 10 developers use Jenkins in CI

Almost 3 in 4 developers use Git as their SCM

Almost 8 in 10 developers use JUnit

4 in 10 developers use Spring Boot

Over 1 in 2 developers use Hibernate in their applications

4 in 10 developers use use Tomcat in production

19 in 20 developers use open source dependencies in their application

2 in 10 developers use OpenJDK in production

8 in 10 developers use Java SE version 8 in production

9 in 20 developers now use IntelliJ IDEA

8

Jenkins JUnit

01About your JDK

All rights reserved 2018 copy Snyk amp Java Magazine 7

01 Which Java vendorrsquos JDK do you use in production for your main applications

We start the report with a core question

With so many vendors providing their own

JDK implementations which offerings are

developers using in production for their

applications

We can see the dominance that Oracle JDK

and OpenJDK have over everyone else With 7

in 10 developers opting to use the Oracle JDK

and a further 2 in 10 opting for the OpenJDK

there isnrsquot much competition However

future licensing and support changes might

cause these numbers to change in the future

None

Other

Azul

Android SDK

Eclipse OpenJ9IBM J9

OpenJDK

Oracle JDK

70

21

42 1

1 1

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

05

Table of contents

06 About you27 Where do you do your development work

28 How would you describe yourself

29 How do you rank your security expertise

30 How old are you

31 How many years of paid professional experience with Java do you have

32 What is the size of your company

33 Where do you principally get information about Java online

34 Are you a member of a Java User Group (JUG)

35 How much do you contribute to open source

About your processes25 How often do you release new versions of your code

26 How often do you audit your code

4All rights reserved 2018 copy Snyk amp Java Magazine

Welcome to the largest survey ever of Java developers

The data presented in the following report was taken

from more than 10200 questionnaires If you were one

of those survey-takers many thanks to you for putting

aside the time to share your experience for the benefit of

others

The survey was conducted by publishing its availability to

the Java community at large (via social media primarily)

to Java User Groups around the world including the

Virtual JUG and to subscribers of Java Magazine the

Java bimonthly publication from Oracle Corp As an

inducement to complete the survey a contribution to

Devoxx4Kids was promised by the sponsors of the survey

Snyk and Oracle

Devoxx4Kids organizes events worldwide where children

can develop computer games program robots and also

have an introduction to electronics

Their goal is to introduce teenagers to programming

robotics and engineering in a fun way to show teenagers

that it is possible to do something more creative with

computers

Information regarding respondents including

geographical location company size of their employer (if

any) age and experience with Java are presented at the

end of this survey

We appreciate constructive feedback and comments

especially regarding our analysis If you would like to be

contacted to participate in any future installments of this

survey please let us know We hope you enjoy reading

this report and can glean some useful insights from its

findings

Simon MapleDirector of Developer Advocacy Snyk

simonsnykiosjmaple

Andrew BinstockEditor in Chief Java Magazine Oracle

javamag_usoraclecomplatypusguy

Introduction

5All rights reserved 2018 copy Snyk amp Java Magazine

TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights

7 in 10 developers use the Oracle JDK in production

6 in 10 developers use Maven to build their main project

Almost 6 in 10 developers use Jenkins in CI

Almost 3 in 4 developers use Git as their SCM

Almost 8 in 10 developers use JUnit

4 in 10 developers use Spring Boot

Over 1 in 2 developers use Hibernate in their applications

4 in 10 developers use use Tomcat in production

19 in 20 developers use open source dependencies in their application

2 in 10 developers use OpenJDK in production

8 in 10 developers use Java SE version 8 in production

9 in 20 developers now use IntelliJ IDEA

8

Jenkins JUnit

01About your JDK

All rights reserved 2018 copy Snyk amp Java Magazine 7

01 Which Java vendorrsquos JDK do you use in production for your main applications

We start the report with a core question

With so many vendors providing their own

JDK implementations which offerings are

developers using in production for their

applications

We can see the dominance that Oracle JDK

and OpenJDK have over everyone else With 7

in 10 developers opting to use the Oracle JDK

and a further 2 in 10 opting for the OpenJDK

there isnrsquot much competition However

future licensing and support changes might

cause these numbers to change in the future

None

Other

Azul

Android SDK

Eclipse OpenJ9IBM J9

OpenJDK

Oracle JDK

70

21

42 1

1 1

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

4All rights reserved 2018 copy Snyk amp Java Magazine

Welcome to the largest survey ever of Java developers

The data presented in the following report was taken

from more than 10200 questionnaires If you were one

of those survey-takers many thanks to you for putting

aside the time to share your experience for the benefit of

others

The survey was conducted by publishing its availability to

the Java community at large (via social media primarily)

to Java User Groups around the world including the

Virtual JUG and to subscribers of Java Magazine the

Java bimonthly publication from Oracle Corp As an

inducement to complete the survey a contribution to

Devoxx4Kids was promised by the sponsors of the survey

Snyk and Oracle

Devoxx4Kids organizes events worldwide where children

can develop computer games program robots and also

have an introduction to electronics

Their goal is to introduce teenagers to programming

robotics and engineering in a fun way to show teenagers

that it is possible to do something more creative with

computers

Information regarding respondents including

geographical location company size of their employer (if

any) age and experience with Java are presented at the

end of this survey

We appreciate constructive feedback and comments

especially regarding our analysis If you would like to be

contacted to participate in any future installments of this

survey please let us know We hope you enjoy reading

this report and can glean some useful insights from its

findings

Simon MapleDirector of Developer Advocacy Snyk

simonsnykiosjmaple

Andrew BinstockEditor in Chief Java Magazine Oracle

javamag_usoraclecomplatypusguy

Introduction

5All rights reserved 2018 copy Snyk amp Java Magazine

TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights

7 in 10 developers use the Oracle JDK in production

6 in 10 developers use Maven to build their main project

Almost 6 in 10 developers use Jenkins in CI

Almost 3 in 4 developers use Git as their SCM

Almost 8 in 10 developers use JUnit

4 in 10 developers use Spring Boot

Over 1 in 2 developers use Hibernate in their applications

4 in 10 developers use use Tomcat in production

19 in 20 developers use open source dependencies in their application

2 in 10 developers use OpenJDK in production

8 in 10 developers use Java SE version 8 in production

9 in 20 developers now use IntelliJ IDEA

8

Jenkins JUnit

01About your JDK

All rights reserved 2018 copy Snyk amp Java Magazine 7

01 Which Java vendorrsquos JDK do you use in production for your main applications

We start the report with a core question

With so many vendors providing their own

JDK implementations which offerings are

developers using in production for their

applications

We can see the dominance that Oracle JDK

and OpenJDK have over everyone else With 7

in 10 developers opting to use the Oracle JDK

and a further 2 in 10 opting for the OpenJDK

there isnrsquot much competition However

future licensing and support changes might

cause these numbers to change in the future

None

Other

Azul

Android SDK

Eclipse OpenJ9IBM J9

OpenJDK

Oracle JDK

70

21

42 1

1 1

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

5All rights reserved 2018 copy Snyk amp Java Magazine

TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights

7 in 10 developers use the Oracle JDK in production

6 in 10 developers use Maven to build their main project

Almost 6 in 10 developers use Jenkins in CI

Almost 3 in 4 developers use Git as their SCM

Almost 8 in 10 developers use JUnit

4 in 10 developers use Spring Boot

Over 1 in 2 developers use Hibernate in their applications

4 in 10 developers use use Tomcat in production

19 in 20 developers use open source dependencies in their application

2 in 10 developers use OpenJDK in production

8 in 10 developers use Java SE version 8 in production

9 in 20 developers now use IntelliJ IDEA

8

Jenkins JUnit

01About your JDK

All rights reserved 2018 copy Snyk amp Java Magazine 7

01 Which Java vendorrsquos JDK do you use in production for your main applications

We start the report with a core question

With so many vendors providing their own

JDK implementations which offerings are

developers using in production for their

applications

We can see the dominance that Oracle JDK

and OpenJDK have over everyone else With 7

in 10 developers opting to use the Oracle JDK

and a further 2 in 10 opting for the OpenJDK

there isnrsquot much competition However

future licensing and support changes might

cause these numbers to change in the future

None

Other

Azul

Android SDK

Eclipse OpenJ9IBM J9

OpenJDK

Oracle JDK

70

21

42 1

1 1

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

01About your JDK

All rights reserved 2018 copy Snyk amp Java Magazine 7

01 Which Java vendorrsquos JDK do you use in production for your main applications

We start the report with a core question

With so many vendors providing their own

JDK implementations which offerings are

developers using in production for their

applications

We can see the dominance that Oracle JDK

and OpenJDK have over everyone else With 7

in 10 developers opting to use the Oracle JDK

and a further 2 in 10 opting for the OpenJDK

there isnrsquot much competition However

future licensing and support changes might

cause these numbers to change in the future

None

Other

Azul

Android SDK

Eclipse OpenJ9IBM J9

OpenJDK

Oracle JDK

70

21

42 1

1 1

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 7

01 Which Java vendorrsquos JDK do you use in production for your main applications

We start the report with a core question

With so many vendors providing their own

JDK implementations which offerings are

developers using in production for their

applications

We can see the dominance that Oracle JDK

and OpenJDK have over everyone else With 7

in 10 developers opting to use the Oracle JDK

and a further 2 in 10 opting for the OpenJDK

there isnrsquot much competition However

future licensing and support changes might

cause these numbers to change in the future

None

Other

Azul

Android SDK

Eclipse OpenJ9IBM J9

OpenJDK

Oracle JDK

70

21

42 1

1 1

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 8

02 Which Java SE Version do you use in production for your main app

There were significant structural changes to the JDK in Java 9 which many predicted would affect

migration and adoption We can see from the results (note that the survey was open midway between

the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10

respondents say their main applications use it in production Equally significant is that fewer than half

the remaining non-Java 8 respondents are on a more recent version

79

40

0

10

20

30

40

50

60

70

80

49

3 1

11 EA109876 or lower We donrsquot

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 9

03 How do you plan to respond to Javarsquos new release cycle

While the Java 9 release brought with it some major

architectural changes it also introduced a new

release cadence in which Java SE versions ship every

six months Every two to three years a Long Term

Support (LTS) release offers longer-term support

such as security updates and so forth Note that

Java 9 is not an LTS release This question asks how

development teams will respond to this new release

cadence The responses were varied suggesting there

is still some uncertainty about how to proceed In fact

almost 1 in 3 developers donrsquot yet know how they will

respond to the new release cycle

We expect that in the forthcoming year best practices

will emerge and companies will settle into a preferred

migration cycle which likely will vary considerably by

industry As a result we expect that the ldquoDonrsquot know

yetrdquo figure will drop but we donrsquot know which of the

other buckets will see increases

Donrsquot know yet

Stay with long-term support (LTS) releases

Decide on a release-by-release basis

Always stay on the latest version of Java

28

8

30

34

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

10All rights reserved 2018 copy Snyk amp Java Magazine

Almost 4 in 10 respondents claim they do not use

enterprise Java Of those who do the majority are

on version 7 Java EE 8 was released in September

2017 so itrsquos promising to see that within less than a

year of release it is almost the most popular version

Unlike Java SE a release of Java EE takes a

longer to be adopted because it takes longer for

implementations to become available

In addition app server vendors require time to

adopt and implement the specifications

Wersquoll be keen to see how these numbers shift as

Jakarta EE 8 begins its rollout and adoption We

should spare a thought for the 2 who are

struggling on J2EE--a version whose last major

release was in 2003

04 What Java EE version do you use for your main application

2

27

10

0

10

20

30

40

22

2

38

Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

11All rights reserved 2018 copy Snyk amp Java Magazine

Exactly 9 in 10 JVM users are using Java for their

main applications While many projects today

are defined as multilanguage or polyglot the

part on the JVM primarily runs Java

Despite this strong preference for Java JVM-

based developers have consistently shown great

interest in other JVM languages as supported

by the popularity of articles about them in Java

Magazine and on major programming sites

For the last few years the emerging and ldquohotrdquo

JVM language has been Kotlin from JetBrains

which continues to make steady progress It is

now a supported language for development on

Android and it is the second major language for

writing scripts for the build tool Gradle (behind

Groovy) All this adoption has move Kotlin past

Scala and just past Groovy in our survey

The 30 figure for Clojure is remarkably high

and signals--to us at least--the continued interest

in functional programming The functional

orientation of many Java 8 features shows the

imprint of functional programming on Java itself

05 What is the main JVM language you use for your main application

90

300

242

236

183060

Java

Clojure

Kotlin

Groovy

Scala

Other

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

02About your tools

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 13

06 Which IDE do you develop with

The graph here is consistent with other recent

surveys IntelliJ passing Eclipse in the last one

to two years and Apache NetBeans staying at

around 10 of the market The 45 total votes

of IntelliJ consist of 32 IntelliJ IDEA Ultimate

Edition (the paid version) 11 IntelliJ Community

Edition (the free version) and 2 Android Studio

users The Eclipse category includes Eclipse STS

JBoss tools Rational Application Developer and

other Eclipse-based tools

The numbers of Apache NetBeans users havenrsquot

altered much which suggests that the migration

from Oracle to the Apache Software Foundation

hasnrsquot affected its user base Itrsquos also worth

mentioning that Visual Studio Code has made an

appearance which although is only 1 shows itrsquos

starting to make its mark in the Java community

Also a tip of the hat to the lsquovivimemacsetcrsquo

group who are probably reading this report on a

tablet (carved out of stone)

3

38

11

0

10

20

30

40

45

1 1

ApacheNetBeans

EclipseIDE

IntelliJIDEA

ViVimEmacsetc

Visual StudioCode

OracleJDeveloper

PaidFree

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 14

07 Which build tool do you use for your main project

In examining the numbers itrsquos important to note that we

asked for the principal build tool used We want to know

which build tool you rely on for your main project It can

also be interesting to know which build tools teams use

across all their projects but the plethora of answers tends

to dilute the usefulness of the responses As we can see

here Maven clearly dominates with a 31 ratio over itrsquos

closest rival Gradle Ant is still in use by 1 in 10 developers

whereas 1 in 20 use nothing

In a 2016 version of a similar survey by RebelLabs (2000

respondents) Maven stood at 68 and Gradle at 16

Gradlersquos improved adoption rate is due perhaps to the

addition of support for Kotlin as the scripting language

Gradle is also the default build engine for Android projects

However its progress against Maven has been slow

6

60

11

0

10

20

30

40

50

60

19

4

AntMaven Gradle NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 15

08 Which Static quality tools do you use

Before you send that email or tweet trying to fix the

internet note that this is a multiple choice question

so numbers here are not do not add up to 100 One

take away from this data is that there are really only a

handful of static quality tools in popular use with no

real surprises at the top SonarQube Findbugs and

Checkstyle dominate

Possibly most surprising is that 36 of respondents

donrsquot use any static quality tool whatsoever This is

most surprising as we expect that static quality tools

are the norm

0 10 20 30

27

6

3

39

23

15

8

SonarQube

Findbugs

Checkstyle

PMD

Cobertura

Emma

JDepend

40

Coverity

Other

2

8

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 16

09 Do you use static security tools in your testing

Security testing is becoming a hot topic that is headlined by

significant breaches across many different companies Yet still

today most sites do not use any static security tool whatsoever

In fact 72 of respondents almost three-quarters donrsquot use

any static tooling anywhere in their pipeline potentially leaving

them open to known vulnerabilities We hope a wider adoption

of security tools will appear in future surveys

Do use a security tool

Do not use a security tool

28

72Do use a security tool

Do not use a security tool

28

72

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 17

10 Which CI Server do you use

As most developers would expect Jenkins wins the CI

server race with a whopping 57 market share Itrsquos closest

competitor is ldquononerdquo at 21 of the vote which almost

matches the rest of the competition combined (at 22) The

remaining CI servers have less than 5 of the market share

each with Hudson the elderly relative of Jenkins struggling

on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS

(Visual Studio Team Server) which is not usually thought of

in the JavaJVM space clocks in at 2

Most developers we believe expect that nearly all sites

today use continuous integration So itrsquos startling to see

that 1 in 5 applications do none at all Even personal projects

today use CI (such as Travis CI and CircleCI) which are

made available on public project-hosting sites such as

Bitbucket and GitHub If yoursquore one of the 21 who donrsquot

use CI on your projects wersquod love to hear why

0 10 20 30

2

2

2

1

57

5

4

CircleCI

Travis CI

Jenkins

Bamboo

TeamCity

Hudson

VSTS

40

Other

None

5

21

50

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 18

11 Which Source Code Management platform does your team use for your main project

As expected Git has convincingly won the

horse race in source code management If

you were in any doubt as to the extent of its

dominance almost 3 in 4 of our respondents

work in teams that use Git to manage their

codebases Subversion now covers the

majority of the remaining respondents and

somehow in 2018 3 of people still donrsquot

use source code management whatsoever

Sometimes there are no words

3

74

16

7

None

Other

Subversion

Git

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 19

12 Which code repository do you use for your main project

With code repositories the story is quite

different from SCM much more spread out

with GitHib and Bitbucket neck-and-neck at

25 each and GitLab close behind at 20

We could call those the ldquobig threerdquo of project

hosting Note that this question is not just for

public projects (in which we expect GitHub

would have a more significant lead) but also

for public and private project hosting

Microsoftrsquos recent acquisition of GitHub

might affect its future adoption rate and

wersquoll know more in future surveys Of the

25 share that GitHub has just over half

(52) of those respondents are using the

public version whereas the remainder (48)

are using the private GitHub Enterprise on-

premises offering VSTS makes up part of the

ldquootherrdquo bracket with 2

25

18

12

Other

None

GitLab

Bitbucket

GitHub

25

20

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 20

13 Which private binaryartifact repository do you use

Most sites donrsquot use a packaged artifact

repository--in theory because they donrsquot have

the need Those that like the convenience

it offers choose the well established Nexus

which is heavily focused on the JVM

ecosystem followed by JFrogrsquos Artifactory

which is somewhat more popular across

polyglot ecosystems

None

Other

Artifactory

Nexus38

22

33

7

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 21

14 Which testing technologies do you use

With an amazing (almost) 4 in 5 people using JUnit

and TestNG used by 10 more itrsquos clear that unit

testing by far the most dominant testing practice in the

JVM ecosystem (Respondents could choose multiple

answers so totals exceed 100) As to mocking itrsquos

now clear that Mockito has emerged as the preferred

mocking framework

With JMeter being used by almost 1 in 4 respondents and

Gatling by 5 we can see that the need for performance

testing is becoming much better appreciated Selenium

takes an impressive 29 Unlike the results for static

quality tools only 10 of respondents say they donrsquot use

any testing tool whatsoever

Hang onhellip 1 in 10 people donrsquot use a testing tool We

should move on before we lose faith in humanity

78

0 20 40 60

45

29

11

6

5

22

10

10

6

JUnit

Mockito

Selenium

JMeter

Cucumber

TestNG

PowerMock

Spock

Arquillian

Gatling

80

Other

None

6

10

10 30 50 70

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

03About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 23

From our data we can say that 57 of respondents use a

cloud platform of some sort

If we consider only the set of respondents who do use

cloud platforms we can see Amazon Web Services (AWS)

leading the pack with almost two-thirds of the votes

Microsoft Azure and the Google Cloud Platform are next

taking 18 and 20 respectively and Red Hat Openshift

and Oracle Cloud are making inroads

15 Which cloud platforms do you use

Do you use cloud platforms

No we donrsquot Yes we do

57

43

0 10 20 30

20

4

4

63

18

10

6

AmazonAWS

GoogleCloud

Azure

Red HatOpenShift

OracleCloud

IBM Cloud

Pivotal CloudFoundry

40

Cloud Foundry

Other

3

10

50 60

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 24

16 Which cloud approaches do you use

Containers lead the way on 43 while VMs stay in the game pretty at 33

As a relatively new technology ServerlessFass comes in strongly with

almost 1 in 10 respondents adopting this approach PaaS which has been

around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use

any cloud approach at all

10

43

33

0

10

20

30

40

9

33

1

VMs Containers ServerlessFaaS

PaaS NoneOther

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 25

Almost 1 in 2 respondents donrsquot use any continuous deployment

or release automation tools whatsoever This might even be

higher as almost 1 in 5 donrsquot have any idea which tools are used

in CD or release automation Itrsquos somewhat surprising to see

bash as popular as Chef and Puppet

Actually whom are we kidding--Everyone loves bash

Ansible is the leading CD tool at 16

17 Which continuous deployment or release automation tools do you use

12

85

0

10

20

30

40

16

43

18

9

Chef PuppetAnsible bash We donrsquotNo ideaOther

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

04About your application

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 27

In todayrsquos polyglot world it would be naive to assume that

JVM languages are the only languages used in JVM apps

In fact more than half of JVM applications use front-end

JavaScript as well 1 in 5 use Python and almost 1 in 4 use

Nodejs As yoursquod expect many projects use SQL as well

18 Which other (non-JVM) languages does your application use

0 10 20 30

23

9

5

56

21

10

9

SQL

Nodejs

Python

C

C

PHP

Go

40

Other

None

19

8

50 60

Front endJavaScript 57

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 28

Few words can better express the Spring domination in the Java

ecosystem than this graph With 1 in 10 developers using Spring

Boot in their applications itrsquos interesting to see it has overtaken

the Spring MVC framework for the first time JSF is the closest

entrant with a respectable 19 and Struts despite a constant

stream of Remote Code Execution vulnerabilities in the news

is a strong fourth with almost 4 in 10 developers adopting it

More than 1 in 5 developers likely boast about how small their

applications are not needing a web framework at all

19 Which Web Frameworks do you use

40

0 10 20 30

36

19

5

3

3

2

6

9

3

3

Spring MVC

Spring Boot

JSF

Vaadin

GWT

Play

Struts

Grails

JHipster

DropWizard

Wicket

40

None

Other

21

8

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 29

More than 1 in every 2 developers use

Hibernate in their applications Almost 1 in

4 developers are happy with plain old JDBC

and Spring developers of course have the

option of using Spring JDBC template which

is used by 23 1 in 5 developers donrsquot use any

ORM framework whatsoever to access their

data (Developers could choose more than

one answer so totals do not equal 100)

20 Which ORM frameworks do you use

10

23

54

0

10

20

30

40

23

6

20

6

Hibernate Plain JDBC Spring JDBCTemplate

EclipseLink

MyBatis NoneOther

50

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 30

Once again Oracle Database takes the top

spot with almost 3 in 10 applications using

it in production MySQL and PostgreSQL

are strong competitors taking 21 and

20 respectively MongoDB is the highest

NoSQL database in use with 5

21 Which database do you use in production

27

0 10 20 30

4

5

21

20

4

6

2

1

1

9

DB2

Oracle Database

MongoDB

MySQL

Cassandra

PostgreSQL

H2

Redis

MS SQL

None

Other

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 31

More than 4 in 10 respondents use Tomcat as their

application server of choice The fast lightweight open

source community favorite has led the pack for a long

time now and it doesnrsquot look like thatrsquos going to change

any time soon JBoss and Wildfly are not too far behind

at 15 In the larger enterprise app server category

WebLogic has a slight lead over WebSphere

The ldquoOtherrdquo category contains TomEE and Liberty Profile

at 1 each which lead that group

22 Which application server do you use in production for your main application

0 10 20 30

41

5

5

15

9

6

Tomcat

JBossWildfly

Jetty

Oracle WebLogic

IBM WebSphere

GlassfishPayara

40

Other

None

6

13

50

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 32

Despite the obvious dangers more than one-third of

respondents develop on a different server from the one

they use in production--trading the possible cost of

failures for the convenience Surprisingly those who

state they use different application servers (or none)

in development actually have a wide variety of apps

and servers in production We were expecting mostly

the larger monolith-suited app servers that could cause

developers pain to use locally but the ratios were

comparable

23 Do you develop on the same application server you use in production

NoYes

64

36

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 33

It would be interesting to know how many people had to check to

see how many direct dependencies their application has Irsquod bet

it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct

and transitive dependencies too In fact almost 1 in 4 respondents

openly state they donrsquot know how many dependencies they have

This might be because of the way the application is distributed

across a more complex build system

We can see from the results that fewer than 1 in 20 respondents

donrsquot use any open source dependencies whereas the

overwhelming 72 do If we remove those who donrsquot know

we can see that 95 or 19 of 20 respondents use open

source dependencies in their applications This shows how far

open source adoption has come as well as the need for us to

ensure these third-party libraries provide security quality and

availability we require from our application as a whole

24 How many open source (direct) dependencies does your main application have

1518

15

0

10

20

30

4

2523

6-101-50 10-20 20+ Donrsquot know

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

05About your processes

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 35

Worryingly almost 1 in 4 respondents (24) donrsquot know how

often their code is released This again might be due to the

complexity of the application and perhaps different services

are being released at various times

Almost 1 in 10 respondents are brave enough to release

multiple times a day but then again when you release that

often bravery is replaced with consistency The majority of

respondents release once every couple of weeks to once a

month More than 1 in 10 respondents release once every

six months or less Better clear my plans for the week wersquore

releasing on Monday

25 How often do you release new versions of your code

Do you know

No Yes

76

24

7

0 10 155 20

3

12

18

13

3

1

18

14

7

4

Once a day

Multiple times a day

Once a week

Once a month

Once every 2 weeks

Every couple of months

A few times a week

Once a quarter

Every 6 months

Once a year

Less than once a year

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 36

About half the sites audit their code And only almost 1

in 4 do so more than once a quarter Whether the audit

be for security performance or quality itrsquos good to have a

clear out With half of the respondents not auditing their

code whatsoever just imagine the gremlins that could

exist in those codebases

26 How often do you audit your code

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

50

24

11

6

63

Once a month or more

Every couple of years

Every year

Every 6 months

Every quarter

We donrsquot

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

06About you

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 38

27 Where do you do your development work

Not much to say here other than we expected

more respondents to come from North America

Perhaps theyrsquove lost all confidence in

voting altogether

Itrsquos great to see representation from all corners

of the globe Hmmm do globes have corners

1 55

5322

9

13

2

2

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 39

28 How would you describe yourself

We can see the vast majority of respondents

are technical with 87 either being developers

team leaders or architects More than half

state they are software developers And 2 of

C-level respondents took the time out of their

schedules to take our quiz

0 10 20 30

4

12

3

2

58

17

C-level

Consultant

SoftwareDeveloper

Architect

TeamLeader

Hobbyist

40

ProjectManager

Other

2

2

50

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 40

Security is often considered one of the dark arts Many

developers learn only lsquojust enoughrsquo to get by and allow

them to deliver their feature work meaning the real

experts are those who have a dedicated security career

As developers are owning more and more application

security responsibility being owned by developers

this is becoming a hot topic In our survey1 of

respondents state they have zilch none zero out of ten

security knowledge and are just happily writing their

struts applications Ok we made that last bit up The

same number state they are true security experts and

modestly gave themselves 10 out of 10 The majority sit

around the 5-7 mark with 6 in 10 respondents stating

theyrsquore no expert but certainly not novices

29 How do you rank your security expertise

0

10

15

5

20

21

5

10

20

2

1

12

19 19

9

0 1 2 3 4 5 6 7 8 9 10

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 41

Programming remains a profession associated

with the young and early middle-aged 38 of

readers are younger than 35 35 are between

35 and 45 and only 25 are older than that

Survey data shows a correlation between

positions of greater responsibility and age

suggesting that the lower numbers after

middle age are in part due to programmers

moving into management positions

30 How old are you

0 10 20

1

17

16

10

4

1

19

19

7

4

Under 21

21-30

41-45

36-40

46-50

31-35

51-55

56-60

60+

Prefer not to say

5 15

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 42

There was quite a range of experience among our

respondents as you can see from the graph but we

wanted to also look at the median ages of our job

roles back from question 28 to see when people

typically receive promotions The results are very

interesting with the median developer having 10

yearsrsquo experience team leaders 11 yearsrsquo experience

architects with 14 years and finally C-levels with 12

yearsrsquo experience

31 How many years of paid professional experience with Java do you have

2222

28

0

10

20

30

7

17

3

6-101-50 11-15 16-20 21-25

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 43

23

32

27

0

10

20

30

16

2

100-99910-990-9 1000+ Unemployed

40

With almost 40 of respondents working for companies that have less than 100

employees we see that Java continues to have a significant role in startups and

in small-to-medium businesses This finding is at odds with the perception of

Java being the language for enterprise apps

It is that certainly but definitely not only that

32 What is the size of your company

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 44

StackOverflow remains the preferred forum for asking

one-off questions and grepping replies to previous

answers for useful information Oraclersquos excellent

documentation is a natural place for reference Java

Magazine presents long-form in-depth articles for

readers wishing to fully understand a topic and

YouTube does the equivalent in video form DZone

and to a lesser extent InfoQ overlap all these areas

(Respondents could choose multiple answers)

33 Where do you principally get information about Java online

0 20 40 60

62

38

10

8

41

32

24

18

StackOverflow

Oraclersquos documentation

Java Magazine

DZone

YouTube

InfoQ

Reddit

Java Ranch

Vimeo

Other

1

6

10 30 50 70

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 45

JUGs remain an underused resource in the community

with only 1 in 5 developers attending one meeting a year

The overwhelming two-thirds of respondents are not

members of any JUG whatsoever If geography is a factor

for those developers the Virtual Java User Group is an

excellent solution

34 Are you a member of a Java User Group (JUG)

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

Yes and I attend most meetings

Yes and I attend 1-2 meetingsper year

Yes but I donrsquot attend meetings

No13

7

67

13

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

All rights reserved 2018 copy Snyk amp Java Magazine 46

Open source remains what it has primarily been from the start the

domain of a small minority of dedicated developers

The existence of GitHub and other easily accessible code repositories

has helped developers to contribute their code but with more than 1

in 2 developers never having contributed to an open source project

therersquos still a lot of work to be done You should want to contribute

back so that rather than just being one of the 19 in 20 developers

using open source you can one day be one of the 19 in 20 developers

contributing to open source

35 How much do you contribute to open source

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

5521

5

2

3

I (co)maintain multiple opensource projects

I (co)maintain 1-2 open sourceprojects

Member of an open sourcefoundationcompany

Frequent pull requests

I opened 1-2 pull requests

Never have

6

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

47All rights reserved 2018 copy Snyk amp Java Magazine

V 7 in 10 developers use the Oracle JDK in production

V 2 in 10 developers use OpenJDK in production

V 8 in 10 developers are on Java SE version 8 in production

V 1 in 10 developers have migrated to version 9 or higher

V Almost 3 in 10 developers dont know how to handle the new Java release cadence

V Over 3 in 10 developers plan to only stay on the LTS releases of Java

V Only 1 in 10 developers plan to stay on the latest version of Java

V Almost 5 in 10 developers are on Java EE 7 or 8

V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it

V 9 in 10 JVM developers use Java

V Kotlin edges past Groovy and Scala in language usage on 242

V 9 in 20 developers now use IntelliJ IDEA

V 6 in 10 developers use Maven to build their main project

V Over 7 in 10 developers still dont use static security tools

V Almost 6 in 10 developers use Jenkins in CI

V Almost 3 in 4 developers use Git as their SCM

V GitHub BitBucket and GitLab take an almost even share of the code repository market

V Almost 8 in 10 developers use JUnit

About your JDK About your Tools

Summary

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform

48All rights reserved 2018 copy Snyk amp Java Magazine

V Almost 6 in 10 developers also have front-end JavaScript in their application

V Almost 1 in 4 developers also use Node in their application

V 4 in 10 developers use Spring Boot

V Over 1 in 2 developers use Hibernate in their applications

V Almost 3 in 10 developers use Oracle Database in production

V 4 in 10 developers use Tomcat in production

V 1 in 4 developers have no idea how many OS dependencies their application brings in

V 19 in 20 developers use open source dependencies in their application

V 1 in 10 developers release their code multiple times a day

V Half of developers dont have their codebases audited

About your application

About your processes

V Over 6 in 10 developers who use cloud platforms deploy on AWS

V Over 4 in 10 developers use Containers

V Over 4 in 10 developers use no CD tools whatsoever

About your platform